Template Injection Vulnerability in Twig PHP Template Engine
CVE-2026-46634

7.7HIGH

Key Information:

Vendor

TwigPHP

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-46634?

A template injection vulnerability exists in the Twig PHP template engine versions 3.9.0 through 3.26.0. The issue arises from the template_from_string() function, which compiles inner templates under synthesized names that may bypass the SourcePolicyInterface sandbox. This allows attackers to execute untrusted code by calling template_from_string or including additional templates, effectively rendering inner templates without the expected security policy enforcement. The vulnerability was resolved in version 3.26.0, emphasizing the need for users to update to this version or later to mitigate potential risks.

Affected Version(s)

Twig >= 3.9.0, < 3.26.0

References

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.